Verisource Services, a Houston-based employee benefits provider, initially reported a data breach affecting 1,382 individuals in February 2024. However, further investigation revealed the breach was far more extensive, ultimately impacting up to 4 million people. The breach was caused by unauthorized access to Verisource’s systems, with hackers exfiltrating sensitive data, including personal identifiers and protected health information. The company engaged third-party experts to assess the breach’s scope, and the investigation revealed that the exfiltration occurred a day before the incident was detected, on February 27, 2024.
Initially, only limited information was believed to have been compromised, but as the investigation progressed, the scope expanded.
By August 2024, the breach was reported to the HHS’ Office for Civil Rights (OCR), confirming that 112,726 individuals had their protected health information exposed. The most recent notification to the Maine Attorney General revealed that up to 4 million individuals were affected, a significant increase from earlier estimates. The OCR breach portal still lists the total at 112,726, but this number is expected to be updated soon.
Verisource Services stated that the data review, which began in early 2024, was not completed until April 17, 2025. The company also reported the breach to the FBI and implemented additional security measures to prevent future incidents. Notification letters were sent to some affected individuals, but the bulk of notifications only went out recently.
Verisource has offered complimentary credit monitoring, identity theft protection, and a $1 million identity theft insurance policy to those affected by the breach.
The breach has already led to class-action lawsuits alleging Verisource Services’ negligence in protecting sensitive data. As the breach total increases, more lawsuits are expected. These lawsuits claim that Verisource Services failed to implement appropriate cybersecurity measures, violating industry best practices. The lawsuits seek a jury trial, damages, and legal fees, reflecting the severity of the breach and its consequences.
Reference:
